2023 Data Security Incident Response Report Get the Full Report

Pixel & Other Website Technologies Take Center Stage

The Dobbs decision coincided with the publication of an investigative report about the use of advertising technology on hospital websites. Several regulators scrambled to give consumers, health apps, and HIPAA-covered entities admonishments and guidance on the risks and limitations surrounding the use of this type of technology. Simultaneously, a deluge of class actions was filed, alleging various causes of action stemming from the use of this technology. For many healthcare entities, 2022 will be remembered as “The Year of the Pixel.”

 

A Tidal Wave of Proactive Regulatory Activity

Regulators got involved quickly after the Dobbs decision and the aforementioned article was published:

HHS OCR issued guidance asserting that consumers should understand many menstrual cycle and health tracking apps are not subject to HIPAA and information provided to those app providers by consumers is not subject to the regulation’s protections.

The FTC warned they would investigate health technology companies if they mislead consumers about data anonymization or data sharing.

HHS OCR guidance asserted that if HIPAA-covered entities are sending IP addresses of website visitors to tracking technology vendors, then these IP addresses are PHI. Accordingly, a business associate agreement must be in place or the covered entity needs to assess the disclosure under the breach risk assessment standard. We have worked with dozens of clients regarding this issue and believe there are opportunities to determine no breach occurred.

HHS OCR, state attorneys general, and U.S. Congress members issued dozens of investigation demands to health industry entities related to the use of tracking technology on websites.

The focus on website technologies and health-related information is likely to continue in 2023 and beyond. Entities should ensure a strong corporate governance process and collaborative approach between marketing and compliance departments, an in-depth understanding of the use of this technology, and a thorough assessment of the risks and benefits conferred on the entity to determine whether continued use is appropriate.

The FTC Reminds Health-Tech That the OCR Is Not the Only Health Entity Regulator

In February and March 2023, the FTC announced a $1.5 million settlement with a prescription coupon service and a $7.8 million settlement with a mental health provider in two matters that appear to have been in the works within the FTC since well before July 2022. In both cases, the FTC challenged health entities sharing consumer health data with third parties for advertising purposes. After several quiet years in the health technology industry, the sudden uptick in the FTC’s activity is likely due to the perfect storm of a post-Dobbs era, where online activity could be used against consumers, and the throng of health-tech startups coming to market in the last few years, driven, at least in part, by needs newly identified during COVID. Non-HIPAA-regulated entities need to take a very close look at their privacy policies, ensure that all third-party sharing is adequately described, and ensure that they are obtaining express consent from consumers for any sharing of health information, particularly if the sharing is related to advertising.

A New Wave of Privacy Class Actions

Since August 2022, more than 50 lawsuits have been filed against hospital systems, alleging they track and disclose patients’ identities and online activities via third-party website analytics tools without the website visitors’ knowledge and consent. The claims asserted include those based on (a) contracts (alleged inaccurate website privacy policies or notices); (b) state privacy laws (alleged unauthorized disclosures of personal and/or health information to third parties); and (c) federal or state wiretapping laws (alleged interceptions of communications). Motion to dismiss briefing is ongoing in many of these cases and involves these issues:

  • Breach of contract: Whether HIPAA-required privacy notices form a contract and plaintiffs’ failure to allege specific contract provisions allegedly breached.
  • State privacy laws: Whether plaintiffs consented to the alleged tracking and plaintiffs’ failure to state facts showing a “highly offensive” intrusion.
  • Breach of confidence, negligence, and breach of fiduciary duty: Whether a state already has a common law tort for the alleged unauthorized disclosure.
  • State consumer protection laws: Whether the plaintiff has identified sufficient damages.

In addition to determining whether any of these arguments would be appropriate in a motion to dismiss, defendants should consider the following:

  • For wiretap act claims, evaluate whether “contents” of communications are at issue, and whether the statute requires two- or one-party consent, as the latter may foreclose the occurrence of “interception.”
  • Evaluate whether claims are subject to binding arbitration and/or class action waivers, which may form the basis of a successful motion to compel arbitration or a motion to strike class allegations, respectively.

If claims survive a motion to dismiss, opposing class certification becomes critical. Entities should focus on key differences in putative class members’ experiences to narrow a class (purpose for visiting website, pages visited, and browser and device settings – each impacting what information, if any, was transmitted). And remember, even though a court may certify a class, it can later decertify it.

“We are currently defending more than 200 privacy or data security lawsuits. Over 50 of those cases involve Pixel-related issues.”